CIBA: Authentication Error Responses can't all be returned from the Backchannel Authentication Endpoint

Issue #81 resolved
Dave Tonge created an issue

These are the errors defined for the Authentication Error Response:

  • invalid_request
  • invalid_scope
  • expired_token
  • unauthorized_client
  • access_denied
  • unknown_user_id

However the access_denied error can't be returned from the Backchannel Authentication Endpoint as it will only occur after the OP has attempted to authenticate the user out of bounds on the authentication device.

The access_denied error should therefore be returned from the token endpoint for polling and notification callback modes.

For the delivery callback mode (formerly the notification mode), the error should be sent to the client notification endpoint.

Comments (6)

  1. Dave Tonge reporter

    There was discussion that access_denied could still be a valid error in the authentication error response as a user may have blanked blocked access to a certain type of client or the AS might make the decision on the users behalf. The spec should expand on the definition of access_denied.

    However we agreed that it was also possible for an access_denied error to be returned from the token endpoint and that the spec should add this in.

  2. Dave Tonge reporter

    To discuss:

    • expired_login_hint_token
    • HTTP error codes (I've removed the 404 response)

    Do we need this error and what should it be called. It was generically called expired_token but I think we've agreed that an id_token_hint could be an expired id_token so it doesn't make sense to apply the error to id_token_hints.

  3. Log in to comment